Thycotic’s Cyber Security Publication

January 16th, 2018

Who is responsible for creating, implementing and overseeing your organization’s Privileged Account Management Policy template? And what is at risk if no individuals or departments are named to ensure that your users and systems are in compliance with your PAM Policy?

Let’s get the easy part out of the way: if your organization has its PAM Policy clearly defined in a template, yet users are left to comply with your policy rules as they see fit, it’s likely that your cyber security posture is home to a significant amount of chaos—and with chaos comes great risk.

With ransomware and data breaches rapidly on the rise, no organization can afford the massive losses, both financial and otherwise, that come with a cyber-attack.

So, who owns the PAM Policy template?

Organizations—even fairly small ones—must identify a person or department who will take ownership of their PAM Policy template and be responsible for seeing that the policy requirements are carried out.

In a small company

In a small company with a single central IT team, the responsibility falls to this team. The IT team owns the policy template and must ensure that all users in the company are educated in and compliant with the PAM Policy.

In medium and large organizations

The situation in medium or large organizations is more complex due to these and other variables:

The size and maturity of the organization.

The location—is it limited to one state, or many; one country, or a few; or is it a global organization?

The size and structure of the IT team—some organizations have defined teams for managing different IT systems from IT Operations, IT Security, IT Risk, Identity and Access Management and Cloud etc.

The compliance requirements of the organization—these are dependent on the organization’s industry and may include PCI, NIST, ISO, SOX, HIPPA and EU GDPR.

With these variables in mind, here are some typical case scenarios for PAM Policy ownership in larger organizations:

PAM is part of the larger Identity and Access Management (IAM) and Identity & Governance roles. So, in organizations that have IAM responsibilities, the PAM Policy template usually falls under their ownership.
It is also then likely that, within the IAM team, they have an assignment of ownership for Governance and Compliance (because PAM is commonly part of most industries’ compliance mandates and regulations). For these organizations it is important to comply, and the PAM Policy template helps them meet those requirements.

In organizations where IAM is not defined, then the ownership of the PAM Policy Template usually falls under the ownership of IT Risk and Governance, again to ensure the organization can meet the industry compliance mandates and regulations.

If the organization does not have a Risk and Governance team, then the PAM Policy starts to fall under the IT Security and Risk team which is responsible for defining the IT Security Policy the PAM Policy is part of. IT Operations and Security are responsible for ensuring the PAM Policy is deployed, enforced and compliant.

As you can see, ownership of the PAM Policy template really depends on the organization’s structure and industry. But more often than not it falls under Governance and Compliance.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.